defyourtype

@0xazanul @destro4evr @thedawgyg dont have twitter premium, i dont think i can dm you

@defyourtype_ @destro4evr @thedawgyg sure dm me

after seeing @thedawgyg fuzzing posts, i started learning about fuzzing myself. the results so far have been encouraging: interesting crashes, memory corruption indicators, and plenty more to dig into. #TogetherWeHitHarder #bugbounty

@0xazanul @destro4evr @thedawgyg might as well share some with me too hehe :)

@destro4evr @thedawgyg dm me.

@Mister_Ch0c @thedawgyg @Hacker0x01 no way, web2 payouts are way lower on average. web3 charges because the bugs require full PoC exploits and deep technical validation.

Lol @Hacker0x01 rate limiting telling me my signal is 0 and im not allowed to have more than X open reports... wtf lol

@wearehackerone its still a win, dup of triaged report….when was the original submitted ?

I'm failing again and again and again

@roohaa_n @Hacker0x01 @Bugcrowd woaah, is this from some LHE?

Made approx 50k this month using both manual and AI from @Hacker0x01 and @Bugcrowd this month hackerone.com/rohaa_n bugcrowd.com/h/Rohan_Gupta #BugBounty

@_godiego__ @Bugcrowd bro why did you stop doing bb writeups??

Love some of my interactions on @Bugcrowd Triager: NMI Me: provide updated PoC Triager: uses first one again, ignores new one from the comment, closes as not reproducible 💯💯💯

@itz_mg_ inspiring🔥

5/19/24 vs 5/19/26. that guy has no clue

@KIDRIANI_ congrats, i thought their bounties start from 617$

@KIDRIANI_ @ahmtbrt07 @rez0__ correct, their previous months stats look better too

@ahmtbrt07 @rez0__ I received a bounty from them. Although they didn't pay much in April, they paid out over 20 reports this month. Something likely happened last month, but they are definitely not a fraud.

THREE HUNDRED ANS TWENTY FIVE REPORTS TWO THOUSAND DOLLARS 🤣🤣🤣

@_sean0x gg, nice work 👍

@defyourtype_ I have permission of course, it shouldn't be private will likely be public soon

I reported a bug on Duel yesterday and they just rewarded me a $15,000 bug bounty. Monarch & Plank made sure to sort out a fair bounty for the bug and made the whole process seamless.

@0xatharv @Bugcrowd @bugbountywizard @BugcrowdSupport this happens with me too. its the same root endpoint ig, so they need to issue just one fix for ‘cancellation’ endpoint as a whole. dont agree with it, but cant really do anything about it.

submitted a valid auth bypass yesterday anyone could cancel bookings without authorization, trigger marked it as duplicate to a completely different report just because the API path first two word looked similar @Bugcrowd please ask your triagers not to work while they are on ..

@bhavukjain1 ive faced this a lot, most of them are closed as design issues on programs i hunt.its because the team themselves arent sure what they are supposed to do. i mean whats the point of new permissions/features if the team isnt willing to own the security consequences that come along.

If a report leads to a permission fix, how it is not a broken access control issue? Looking for different perspectives. Background - A staff member could perform actions without required permissions. #shopify

@mdisec @supabase they have a VDP, just report there

I NEED TO TALK WITH SOMEONE FROM @supabase security team right now. Can someone link me please ?!!!

@arshadkazmi42 insane, i am still trying to figure out my ai workflows, you use the 100$ plan?

I finally seem to have a working AI bug hunter setup. All findings using Claude Code with Opus 4.7. Got a few duplicates but seems like the workflow is working in the right direction now. Two interesting findings I had on one program: - LLM Injection - My first LLM injection. Initially Claude Code flagged it and discarded it saying it's LLM injection, as if it's an invalid bug 😄. I had to ask it to focus on LLM injections and it was easily able to bypass it. Seems like there were no filters for LLM injection. But the workflow didn't have any MCP or tools so impact was not much. - RCE on Windows machine - It found an image proxy where user can control file names. It suggested it's a low finding and only thing we can do is defame the company by uploading malicious images with malicious names. Then I asked if we can control images we should be able to bypass it to upload executables, and it was able to find a full workflow to bypass the image check and upload a Windows executable which will be served from target owned image proxy and run on Windows machines to achieve RCE.

@inscryption1 @Hacker0x01 you completed id verification, and tried to withdraw bounties from there? I guess thats the issue. but their Code of conduct says they give out 2 warnings.

@defyourtype_ @Hacker0x01 I have two h1 accounts , When I created the second one I didn’t know that it could violates their policy , Also I didn’t do anything wrong with that account , like reputation farming,duplicate submissions etc. I explained to them but nothing happened.

Hey @Hacker0x01, I’ve contributed 500+ reports to your platform. Due to an account restriction, I’m currently unable to access my hard-earned pending bounties or provide "Needs More Info" for critical security risks I’ve reported.

@Destinyxeiiios1 damnn, how late were you?

duplicate of a critical 🥲🥲

@Ehsan1579 Wait tf, you started a year ago and are making a mil every quarter now?

Around last year this month of April, I was under a lot of financial pressure. Family had a lot of debt, no money, wifi and phone lines cut off, nobody could talk to each-other, no food, I used to eat potatoes my brother made with some garlic, and no hope for any better future, last attempts at creating something valuable in the world failed despite being very close. Failure was all there was. When humans face immense pressure, I believe they turn into a robotic state, they stop processing emotions temporarily and the need to have a purpose or to think something through before doing it is gone so is your self-awareness, you just turn into this thing that needs to survive at least one last time. I went to libraries and worked there I didn’t expect much I just did whatever I had to do when libraries closed I used to park outside the library in the parking so I can still access the library’s wifi. April was a difficult month but then that’s when May came.

@valent1nee @GoogleVRP congrats, your writeups are such a good read!

I'm so happy to have won the MVH at the latest Google LHE (Seoul 2026). Thank you, @GoogleVRP, for the amazing event!